Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
The Internet China Communications Network

Russia Wants To Launch Backup DNS System By August 1, 2018 (bleepingcomputer.com) 160

An anonymous reader shares a report from BleepingComputer: The Russian government plans to build its own "independent internet infrastructure" that will be used by BRICS member states -- Brazil, Russia, India, China, and South Africa. The plan was part of the topic list at the October meeting of the Russian Security Council, and President Vladimir Putin approved the initiative with a completion deadline of August 1, 2018, according to Russian news agency RT. The Russian Security Council has today formally asked the country's government to start the building of a backup global DNS system that Russia and fellow BRICS member states could use. The Russian Security Council cited the "increased capabilities of western nations to conduct offensive operations in the informational space." Russia, China, and many other countries have criticized the U.S. for hoarding control over the domain naming system (DNS), a position they claim has allowed the U.S. to intercept and tap global internet traffic. The U.S. has relinquished control over the DNS system last year.
This discussion has been archived. No new comments can be posted.

Russia Wants To Launch Backup DNS System By August 1, 2018

Comments Filter:
  • by Paradroid888 ( 1699938 ) on Friday December 01, 2017 @08:04AM (#55656989)

    I don't know if this can be stopped but it should be.

    • I don't know if this can be stopped but it should be.

      Fuck that, I hope every nation does this. I might finally be able to play a game of DotA 2 without it being filled with a bunch of toxic Peruvians claiming everyone is a "rat."

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      You don't know how "the web" works. Anyone can make their own DNS system and many of us do. It's easy and changes nothing about the rest of the internet.

      • by DaMattster ( 977781 ) on Friday December 01, 2017 @09:31AM (#55657323)

        You don't know how "the web" works. Anyone can make their own DNS system and many of us do. It's easy and changes nothing about the rest of the internet.

        I have my own DNS servers too. As you say, anyone can stand one up. Just choose your favorite *NIX distribution and configure Unbound and NSD. BOOM! There you go.

    • I blame Ajit Pai. [youtube.com]

    • by Escogido ( 884359 ) on Friday December 01, 2017 @08:56AM (#55657151)

      My guess Russian logic goes like this: it is not improbable that relationship between the US and Russia could deteriorate to a level where the US would use control of the root DNS as a weapon. Unfortunate as it may be, but this move appears to be an adequate reaction to this possible threat.

      • by ctilsie242 ( 4841247 ) on Friday December 01, 2017 @09:19AM (#55657255)

        The UN owns ICANN now. The US ceded control over it last year to the UN. The BRICS countries have just as much control over it as their Western counterparts.

        As for having one's own DNS, it might be a good idea. In fact, it might be wise for each country to have its own system internally. China does, where there are TLDs that require kanji characters to access. Iran is working on that. Done right, it wouldn't be fragmentation, since the existing DNS system would be in place, but would give countries some independance and access to their own sites, should politics (regardless of who started it) go against them.

        • Oh, I did not know about the UN and ICANN - good thing they did, too. And I agree about every country having their own DNS is also good.

          From what I read in the published protocols of the Russian Security Council meetings a couple years ago, it has been stated that the country must be prepared for all kinds of possible shenanigans regarding internet connectivity on all levels, from traffic routing and DNS to actual internet services. I have no idea how much Russia relies on the non-Russian servers to route t

        • Going by this, it sounds like the US should launch a backup DNS system.

          Is there a 'DNS Gap' that needs to be closed?

        • China does, where there are TLDs that require kanji characters to access

          Uh dude. Don't call them 'kanji' around Chinese people.

        • by swb ( 14022 )

          The BRICS countries have just as much control over it as their Western counterparts.

          I think you meant to write:

          The Russia and China don't have the kind of control they want.

          I'm curious how the whole "BRICS" alliance is still a thing these days. I don't see where South Africa has much in common with the others. India is more or less in competition with China. China is the 800 lb gorilla in the group. Russia pretty much can't be trusted at all.

        • by ttsai ( 135075 )

          China does, where there are TLDs that require kanji characters to access.

          Wow, parts of the Chinese system require Japanese characters? That's sort of like saying that the British use the American alphabet.

          • by mysidia ( 191772 )

            hànzì, and they're used by the Chinese, the Japanese adapted them to kanji () , Koreans as Hanja (), the Vietnemese, and some others.

            • by ttsai ( 135075 )

              hànzì, and they're used by the Chinese, the Japanese adapted them to kanji () , Koreans as Hanja (), the Vietnemese, and some others.

              Yes, it's obvious to Westerners that kanji is meant to cover all Chinese-character derived ideograms. However, I'm pretty sure no Chinese person has ever thought of Chinese characters as "kanji". It's not a big deal to Westerners. However, it does have a similar connotation to saying that the British speak the American language. The two languages are related, and the meaning is mostly clear, but the connotations are very different and would be probably grating to the British.

              • by mysidia ( 191772 )

                However, I'm pretty sure no Chinese person has ever thought of Chinese characters as "kanji".

                They are not.. the characters are not Kanji to the Chinese; I am just saying we can overlook the obvious error and see what the poster meant....

                People vaguely familiar to the situation should be very familiar with the fact that the Kanji is the uniquely-Japanese writing system that uses the shared Chinese ideograms, and it's the set of Ideograms not the local adaptation called Kanji or the language that are sha

                • by ttsai ( 135075 )

                  However, I'm pretty sure no Chinese person has ever thought of Chinese characters as "kanji".

                  They are not.. the characters are not Kanji to the Chinese; I am just saying we can overlook the obvious error and see what the poster meant....

                  People vaguely familiar to the situation should be very familiar with the fact that the Kanji is the uniquely-Japanese writing system that uses the shared Chinese ideograms, and it's the set of Ideograms not the local adaptation called Kanji or the language that are shared.

                  Ironically it's the people who know the difference that would be the most irritated by the "typo." My point is that the connotation of such terms is dependent on the viewpoint of the listener. For westerns, using kanji to denote Chinese characters is simply a typo, but not necessarily so for Chinese, especially those that still bear resentment toward the Japanese based on events from the last century. This is a common theme of language-based communication, that the connotation often carries more meaning

        • by mysidia ( 191772 )

          No... ICANN is an independent organization of its own. The UN doesn't "own" other organizations.

        • by Tom ( 822 )

          The BRICS countries have just as much control over it as their Western counterparts.

          On paper, yes. If I were a country that is under active, ongoing attack by US propaganda, I would think twice about how much that paper is actually worth as well.

          It's relatively cheap to set up a couple root DNS servers, and in case some shit hits the fan, it will really, really help you a lot. So the cost-benefit ratio is quite good and it's a move that probably comes out as recommended if you run the risk analysis.

        • Just to clarify here: kanji is the Japanese term for Chinese characters. Hanzi is the Chinese term for these characters. So when talking about Chinese characters in the context of China, use "hanzi" and not "kanji". Although if slashdot supported unicode, you'd be able to render the characters for hanzi and kanji and then see that they're the same characters.

        • The US ceded control over it last year to the UN.

          And guess who owns the UN?

      • I don't think Russia is concerned about US control of DNS as a weapon. Russia is concerned about the continued operational existence of DNS under US control. The US is already taking the first step towards internet destruction with the removal of Net Neutrality. A principle the net has had since the very beginning.

        And then there is also maybe a concern about the continued existence of the US itself. At least at a level of competence sufficient to continue to operate DNS and other core internet infras
        • by anegg ( 1390659 ) on Friday December 01, 2017 @10:58AM (#55657751)

          I'm not arguing against you; just pointing out two aspects of your statement that might benefit from clarification:

          1. The "early" Internet (a problematic term, I admit) did not have "net neutrality" in a pure sense; it did not allow commercial use. So while it is true that at that point no commercial interests were acting as gatekeepers/toll booths, this was trivially true because there were no commercial interests on the network. I suspect that there may have been debate amongst early Internet pioneers about what kinds of policies might become necessary for controlling/prioritizing traffic; I don't know whether they foresaw just how significant the Internet would become or how commercial interests would seek to monetize it. (For the record, I'm in favor of the US classifying ISPs as common carriers under Title II.)

          2. The U.S. policies such as whether US ISPs are regulated as "common carriers" under US law/regulations may have some related affects on the global Internet, but these policies only affect ISP operations in the U.S., not all Internet service providers globally. Other countries are free to choose how they regulate data traffic within their borders, including traffic on the "Internet." So it may be an overstatement to claim that the US is on a path towards "Internet destruction" by a change in regulation that applies to US ISPs only.

    • by rwven ( 663186 )

      Why? A cornerstone of the internet is that no one should be able to hold all the cards. While I'm not a big fan of Russia doing it, ideologically it's good that *someone* is. The more the merrier in this space, imho.

      • by iczer1 ( 991037 )
        The Register has a good article on this:
        http://www.theregister.co.uk/2... [theregister.co.uk]

        "The policy document instead leaves people assuming Russia et al are forming a breakaway internet. In reality, it's basically calling for yet more root mirrors."
        "But a parallel domain name system with a separate set of root zone servers? There's virtually no point."

    • by jbmartin6 ( 1232050 ) on Friday December 01, 2017 @09:51AM (#55657405)
      "the web" isn't a monolithic thing which can be forked. It is a network of networks. Lots of different groups do lots of different things using the network, this is just one more
  • Backup? (Score:5, Insightful)

    by sqorbit ( 3387991 ) on Friday December 01, 2017 @08:06AM (#55657001)
    A backup makes it sound like it is a plan in case of failure. This sounds a bit like they are looking for an alternate DNS if they disapprove of something the US (or other countries) has done. From the article "In addition, the backup DNS system also allows these states to isolate websites and services that other countries could not access."
    • If it meant the bots of the world that all seem to resolve to China and Russia would lay off the rest of us, then I could see this as a good thing. Trouble is, this is just DNS, so it won't do that.

      China and Russia have a pretty tight grip on their nations and so I can imagine that use of this alternative DNS will be mandatory. It will also have lots of government meddling in it, so will be something of a 'censored web' experience. It'll mean that casual Internet use won't accidentally trip over anything aw

      • by sjames ( 1099 )

        But if that DNS is accessible to those of us in the west, it will be a great benefit. For example, the next time a western government decides to censor the web by de-registering (for example) thepiratebay.org, we can do the DNS lookup using the alternate DNS.

    • It does, however BRICS members haven't been shining examples of free speech. So either it is a way to allow themselves to isolate from the world, because they are expecting to do some things the rest of the world won't like, and could be facing removal. Or a nice way to move its citizens to a state sponsored internet.
      Or it could just be what they are saying it is, just a backup to DNS, just because having it under US Control is risky.

    • Or, rather, if the US disapproves of something Russia does.

    • by mjwx ( 966435 )

      A backup makes it sound like it is a plan in case of failure. This sounds a bit like they are looking for an alternate DNS if they disapprove of something the US (or other countries) has done. From the article "In addition, the backup DNS system also allows these states to isolate websites and services that other countries could not access."

      Any country that doesn't have a similar backup plan is setting themselves up for a failure, this includes the US.

      If the US is ever daft enough to use DNS as a weapon, it will immediately Balkanise the internet as the DNS root becomes inherently untrustworthy. Not just by your enemies, but also your allies. Europe and China will be the first to migrate away, setting themselves up as alternative root DNS sources. Then we'll have to decide which DNS is trustworthy, which wont be a simple feat.

      Whilst I ho

  • Are only useful if people point their requests to them.

    Just ask your comcast or spectrum servers.

    It could be worse, the UN could be taking over the root servers, followed by 14 years of meetings to decide which DNS Council member would have complete control.

    • by Baron_Yam ( 643147 ) on Friday December 01, 2017 @08:57AM (#55657155)

      >Are only useful if people point their requests to them.

      Most people pick up their ISP's settings, which means the ISP's DNS servers are the first point of contact with the greater DNS hierarchy.

      It wouldn't be terribly difficult in Russia to mandate that ISPs use the Russian system by default.

      • by jon3k ( 691256 ) on Friday December 01, 2017 @10:30AM (#55657605)
        This is how I expect it to work, along with requiring Russian ISPs to block DNS requests to any other address by law.

        So previously, resolution (for 99% of end users) worked like this: User > ISP DNS (recursive resolver) > Authoritative nameserver (eventually, please lets not get dragged into the weeds here, we all understand the process)

        Now it will be: User > ISP DNS (forwarder) > Russian Government DNS Servers (recursive resolver) > Authoritative name server

        Then, the government just requires ISP to: deny [tcp|udp] any any 53.

        The only way around this would be for people to run DNS on a non-standard port (and reconfigure resolver libraries to use a non-standard port, good luck on peoples iphones) or to use a VPN to tunnel traffic. This would effectively block probably 99% of Russian (or BRICS) DNS traffic.

        I don't think their goal is to block 100%. This is to block enough to have a de facto internet "Kill Switch". Anytime they want, the "Russian Government DNS" server above just disables recursive DNS resolution for everything but Russian government TLD and you've effectively shut down the Internet. This also gives the government a tremendous amount of direct access to data from users. It's terrifying and awful, but smart for them.
        • As I believe I've said before... if I were designing the Internet from scratch, I'd have it geopolitically segregated-but-connected. Geography and politics are in most cases very real and practical dividing lines.

          Every nation should control its own TLD, every nation should have the ability to control what data crosses their borders. Free nations, of course, should not exercise that control absolutely... but they should still have it.

          I would absolutely love a world in which we all get along and national bo

          • by jon3k ( 691256 )

            A nation that does not control its 'cyberspace' isn't a nation

            Which nation "controls it's cyberspace" ? China is probably the closest and most people find it trivial to circumvent.

    • by ljw1004 ( 764174 )

      It could be worse, the UN could be taking over the root servers, followed by 14 years of meetings to decide which DNS Council member would have complete control.

      That sentence doesn't make sense. "UN" basically means "the collective will of the world's nations". If the world's nations collectively want something to be done, they do it (e.g. eradicate polio). If they can't collectively agree on action then it doesn't get done (e.g. help Syria).

      Writing it out, your sentence becomes:

      "It could be worse. The root servers could be managed by the collective will of the world's nations, followed by 14 years of meetings when they find there isn't actually a collective agreem

  • by OzPeter ( 195038 ) on Friday December 01, 2017 @08:37AM (#55657091)

    It seems to be the answer to everything these days

    • by Anonymous Coward

      But that is usually followed by "In fact, forget the DNS... and the blackjack" so.... nothing's gonna happen, except for a lot of hookers.

  • by Ayano ( 4882157 ) on Friday December 01, 2017 @08:55AM (#55657137)
    Well now.
  • KREMVAX was an april'f ool joke but in Soviet Union there was an UUCP-like networking system.
  • So, if my browser looked up each page in both DNS systems, and showed a warning in case of a mismatch, that would give me a higher certainty that the source is not being intercepted at the DNS level, right?

    • Not sure why your browser would be doing DNS lookup.
      However if you were to query this russia DNS and some other DNS server and came up with different results then you would know either: 1) that one DNS has a different value, 2) That the address requested has load balancing IPs and you got different addresses, 3) that someone did a man in the middle attack and gave you a different address and if you are really worried that this is a possibility then you should be using DNSSEC.
  • I want to know what problem they are hoping to solve. Anyone can stand up their own DNS infrastructure. All you need is two static IP addresses and (preferrably) two computers. Just load your choice of operating system and Unbound and NSD. If the Russians are hoping to control politically objectionable material, DNS is the wrong way to go about it. If they're concerned about being denied access to the DNS system, there are easy ways to get around that too. It seems to me that Vladimir Putin does not really

    • by jon3k ( 691256 )
      First, they can easily require ISPs to block any other DNS requests. Second, I think they'll only want to stop the 99% of people (to avoid something like a revolt or mass protest). The remaining 1% they can identify by their traffic (e.g., attempts to circumvent DNS) and monitor their traffic.
  • by zarmanto ( 884704 ) on Friday December 01, 2017 @09:23AM (#55657281) Journal

    Every bit of that was hypocritical bull. It's an open secret that Russia has been conducting their own offensive operations for years now, and they have been getting away with it specifically because the US can't "intercept and tap global internet traffic" as the Russians claim.

    But their excuses for segmenting off their own corner of the internet aren't really meant for us, anyway; they're directed inward. In fact, this entire maneuver is almost certainly directly linked to Russia's desire (and that of their allies) to more thoroughly block access at will to large swaths of the internet, for their own populace. Don't like the latest anti-Russian sentiment on Slashdot or on Facebook, because it comes to close to exposing the truth? No problem -- just block it! When they start implementing their real agenda, they'll likely position it as an "anti-porn" initiative or some such thing, but make no mistake; this is all about controlling the information that reaches the people that matter the most... the ones who might one day rise up against the Orwellian control being exerted by their government.

    Information control only works for so long, before little bits of the truth leak through the cracks.

  • Perhaps I'm being a bit paranoid, but to me this suggests they're creating a backup NOT because of the USA's control over DNS, but as a backup for if they were to attack the existing DNS infrastructure. Current DNS providers should take this news as a reason to further invest in hardening their systems, and possibly pushing for bug bounties to bring vulnerabilities to light. Especially in the wake of various NSA / CIA toolkits getting exposed, there could be existing vulnerabilities known to government

  • by DickBreath ( 207180 ) on Friday December 01, 2017 @10:20AM (#55657567) Homepage
    If Russia does launch alternate DNS servers, will they use re-usable boosters?
  • Being Russian I am sure it will be home to every hacker and ner do well on the internet. I trust them even less than I do Google, Apple and Microsoft.

  • So if I'm visiting Russia, and the DNS redirects me to a malicious version of a site I "trust", how will I know? Even if its https, the malicious site could be using a different cert authority, which says that the certificate is legit.
    • by PPH ( 736903 )

      How could you tell if they ran their entire address space as one giant NAT? Even if you have an /etc/hosts IP address, how could you be sure that you were not routed back to an internal evil site at their country firewall?

      • Even if you have an /etc/hosts IP address, how could you be sure that you were not routed back to an internal evil site at their country firewall?

        Exactly! The only solution that I can come up right now are self signed certs. The first time you visit a site, the browser remembers the self signed cert. Then should the next visit to the same url results in a different cert, block. But browsers seem to fear self signed certs more than an unencrypted stream.

  • Interesting. So with two DNS systems, I can easily look up the DNS of a site in two independent sources, and actually corroborate it? That's fantastic! If both the USA and Russia agree, I can be way more sure.

    Maybe we should have a third, like Australia, or Argentina, so we can have a 2 vs 1 determination? Hell, call it DNS-5 and store it parity-distributed like RAID-5 and be beautiful.

    • by Z00L00K ( 682162 )

      The problem is that if you ask for a site and you get three different answer - which one do you trust?

      • Silly question, as it pertains to everything on earth. 3 is better than 1. You can take the majority, you can do something else entirely, you can fail outright, you can know that something's wrong, that's the exception not the rule.

  • That's more or less what this sounds like. To borrow from a meme: This kills the Internet. Everyone here in the U.S. worries about the loss of Net Neutrality regulations allowing American ISPs to create 'walled gardens'? Well, that's Amateur Night compared to what'll happen to the Internet worldwide if a bunch of countries start literally forking it like this.

HOLY MACRO!

Working...